Address bar spoofing vulnerabilities disclosed by security researchers
Rapid 7 has disclosed a set of address bar spoofing vulnerabilities that affect a number of mobile browsers, ranging from the more common browsers, like Apple Safari and Opera Touch, to the less common, like Bolt Browser and RITS Browser. The announcement is a coordinated vulnerability disclosure publication with security researcher, Rafay Baloch.
Technically, address bar spoofing is an instance of CWE-451 from the Common Weakness Enumeration, and tends to be scored around a CVSS 4.3 or so, which seems like not that big of a deal, says Rapid 7. However, writes Tod Beardsley, "Mobile browsers are a pretty special sort of software that end up acting as a user’s multipass for all types of critical applications in their day-to-day life. Any type of malicious messing with how this application presents itself is kind of a big deal, and can have serious consequences for the user, even if the alterations are relatively minor."